Introduction
This is a coin design that combines a lot of ideas to prevent common POW problems and enable it function as a stable value currency (without any reference to fiat) instead of just an asset. It isolates the functionality of POS, VDF, POW, and DAG methods to optimize their individual potential.- Block creation: Hash-rate is replaced with stake-rate to simulate POW mining equipment for higher-security Nakamoto consensus & efficiency. VDFs are used to give a time-denominator for stake-rate. A potentially important discovery is that reversing Nakamoto consensus seems to prevent PoS problems.These 4 tweets summarize it.
- Coin creation: Solo mining for coin creation and distribution is by regular POW equipment in self-hashing transactions. This prevents pool centralization. It does not influence block-creation consensus.
- Dynamic coin parameters: Consensus vote winners (block creators) are able to slowly adjust coin parameters (coin emission rate, block size, block time, and fees) up or down by 0.02% per block in block headers, reducing developer power.
- Stable value: I argue that coin holders will initially vote for coin inflation, but settle on a stable-value (without reference to a fiat like other "stable" coins), in accordance with a store of value asset evolving into a stable-valued currency. This replaces arbitrary coin emission schedules with an economic intelligence (a feedback mechanism).
- Fast Finality: See the DAG article .("finality" only applies if stake is not concentrated >40%)
- High transaction rate: See the DAG article.(If CPUs can validate 50 TB chains)
- Lack of BTC privacy and anonymity
- POW waste is still used to generate & distribute coin
- Honest stakers > attacking stakers.
- VDF works and is not hacked
- Old stake keys are not sold en masse for an attack.
- Reverse Nakamoto consensus can overcome a "multiple block" problem.
- Coins for staking are in wallets on active nodes instead of cold storage. This could be changed.
How this is not like regular PoS
- Like POW, there is only 1 message per vote, the block header.
- There's no stake registration or masternodes
- There's no time lock on stakes
- There's no stake-at-risk
- There's no need for grinding attack protection [correction: difficulty needs to be done carefully to prevent grinding of timestamps ]
- There's no need for a random beacon
- There's no subjectivity
- There's no fake-stake attack
- There no "rich get richer" problem with stake
Contents
- Part 1: Theory & Discussion
- Overview: how stake value differs from equipment value
- Importance of time (not waste) in Nakamoto consensus
- Time in distributed consensus networks
- The physics of generating randomness from POW & VDF equipment
- Future Work: Converting to a DAG
- Why POW coins lower hashrate to increase security
- POW security comes from risk of equipment value loss (not waste)
- Hashrate is ideally low-entropy/second production, not joules/second waste
- Replacing hash-rate with stake-rate by assigning stakes a time denominator
- Chia's VDF as the time denominator
- VDF definition
- Why stake-rate POW requires reversing Nakamoto consensus
- Splitting coin creation from consensus prevents pool centralization
- Do not pay voters (stakers) to vote (stake). Freedom isn't free.
- Getting stable value by letting stakers be the Fed
- Part 2: Details of reverse Nakamoto Consensus
- Overview
- Details
- Notes
- Part 3: Coin Specifics
- Solo-mining with self-mining txns
- Stake-controlled parameters in block headers
- hashes/coin required to get coin
- Block Size & block time
- Fees
- Block Header
- Self-staking txns
Part 1: Theory & Discussion
Overview: How stake capital differs from equipment capital
Papers have shown (and I'll demonstrate it below) that electrical costs do not affect POW security and even decrease it to the extent it reduces up-front equipment investment. The source of security comes from expected equipment value loss plus social reputation losses (if a miner attacks) being greater than the gains from an attack. But why can't we replace "equipment value" in POW with "coin value" in PoS? Why does PoS (but not POW) require a lot of complexity due grinding attacks, the need for a random beacon, an increase in centralization, and/or require stakers to register participation? Why are most coins lowering hashrate in order to get higher security? Why are coins trying to avoid NiceHash & ASICs which should make mining & its marketplace more optimal?POW equipment is an engine that produces hashes/second but stakes don't. It wastes energy doing so only because mining equipment is not ideally efficient.. The difference between equipment value (a stake) and coin stake is that equipment stake is occupied during the hashing of a block. It can't double-vote at zero cost like coin stake. The equipment engine being "real" is deeply connected to proving the uniqueness of the bits in transactions (blocking double-spends). Equipment is value that is occupied over time while stake is just value. Value in both POW and PoS is used to solve cyberspace's identity problem, preventing Sybil attacks on consensus votes. Stake has value and uniqueness, but that's not enough to cast a unique vote. Time in the denominator of hashrate is what proves the equipment value did not double-vote without double cost during or after the vote. This article shows how to create a simple stake-rate that can replace hash-rate, avoiding PoS problems and complexity to get better security and less waste than POW.
POW is great for creating and distributing coins (value), which I'll retain. The equipment may or may not waste electricity. The cost of buying and operating equipment is a relatively consistent amount of waste of value in the real world that puts value on the chain. But waste (and I'll argue even paying voters to vote in consensus) reduces the security of coming to an honest and accurate consensus. So I'll use waste to create value on the chain, but use efficient consensus to transfer it.
Importance of time (not waste) in Nakamoto consensus
Here is my background article to show how Nakamoto consensus fits within classical Byzantine fault tolerance, and how any classical consensus mechanism that proves a chain of votes had the route of fewest partitions must similarly use an eventual and probabilistic scheme.
Nakamoto consensus ("POW") is amazing in that it uses only 1 message per block (the solved block itself) from a single miner to to show he won the election process, and to announce the difficulty for the next election. A sequence of these shows any newly-joining node which chain has had the fewest network partitions (the largest vote participation). In discussing distributed networks that need to reach consensus agreement to a fact, I say "vote" or "voter" instead of hash, stake, or node (of a distributed system of voting nodes not blockchain nodes) because it immediately and more precisely conveys the goal of and commonality between these other terms. Traditionally (in a distributed network of nodes trying to reach consensus), voters need to register, prove their participation in each vote, and communicate back and forth to declare they agree on the consensus. This is an enormous amount of communication. In contrast, everyone in Nakamoto consensus immediately agrees to a block by seeing if the hash solved the puzzle, without registering (it's permissionless). POW replaces the communication complexity with local computing. As I discuss below, POW does not need to waste energy any more than the traditional method. Both require time. For a given amount of latency, more communication among more nodes requires more time. In POW terminology, a time cost enables a randomization in the election of a block leader with smallish likelihood of colliding with a concurrent winner. Instead of a communication overhead to prove unique identity and presence of nodes (in a traditional distributed network) during that time period, miners prove a hash cost. The hash cost is each hash's claim to unique identity. POW does not require the existence of electricity & depreciation costs. It works optimally on up-front equipment-only costs. This is the same as up-front stake costs except POW has a time cost where the equipment must prove its existence during the vote. Stake in POS can have a cost and the initial stake itself can be created by POW. This proves unique identity, but it has no time cost that proves the identity voted only once during each vote. This inability results in complexity in PoS schemes. They have to bend over backwards to inject a source of randomness to elect a block leader, but a properly functioning election process generates its own randomness.
Time in distributed network consensus
In the next two paragraphs, a single hash (or the smallest unit of a stake) serves as a single "voting node" that's participating in reaching consensus. We can't identify individual "miners" or "stakers", so we treat individual hashes or stakes as "individuals" in the consensus vote.Update:
CAP theorem & tradeoff triangle combined to show bandwidth is the limitation:
Older text:
(C+P+PL) * N * LL = O
C & P are bytes per round per voting node to prove Consistency (Correctness) exists on the largest Partition of voting nodes.
PL = payloand = txs / round / voting node.
LL = Low Latency = fast finality = Availability = Scalability = rounds/second
O = Overhead = bytes/sec required
Scalability trilemma's "security" means C & P are proven. N = number of nodes = number of independent voters with equal voting weight = decentralized. With non-equal weight it has lower decentralization but allows faster LL.
In POW, the C and P byte requirements are incredibly low at 1 header per round and needing only a few headers, and N (distinct miners) can be small. Mining is not necessarily decentralized but it does not need to be: the security is achieved by the profit motive of miners not wanting to lose more value in their equipment than they can gain by colluding. POW is able to move the C&P bandwidth requirements off the network to computation.This frees up O for transmitting more txs.
In distributed consensus, the CAP theorem says we can't have Consistent data that is immediately Available to every node, and have network Partition tolerance all at the same time. If each variable can vary 0 to 1 from worst to best, you can think of this theorem as C*A*P = 0.5 so that one of them has to be 0.5 to enable the other two to be 1. This is not a literal mathematical fact but my way of thinking about how the variables are constrained. So we have to have a time cost (lower A) to get more Consistent data and more Partition tolerance.
The tradeoff triangle says we can't have fast finality (the C*A in CAP), Low Overhead (fewer bytes/second/transaction), and a large number of Nodes (voters) at the same time. To reveal if this is just a restatement of the CAP theorem I use (C*A)*1/(O/N) = 0.5 where P = 1/(O/N) = the inverse of Overhead per Node. This seems to be a claim that partition tolerance is easier with many voters (Nodes) and less communication (Overhead). If we require a given level of Consistency, we can use a higher time cost (1/A) to lower fast finality (C*A) in order to get higher attack tolerance (higher P = N/O). Time cost enables POW to maximize this ratio. This might be mathematized another way: C/T = O/N where T=1/A = time. Faster finality equals more communication per node. More completely:
Another limitation, again related to the CAP theorem, is the scalability trilemma which means we can't have scalability, security, and decentralization. It's a restatement of the tradeoff triangle where scalability means number of possible transactions which means lower communication overhead per transaction when given a limit on network bandwidth (which includes the time cost to validate). Decentralization simply put means many nodes and security means the finality in "fast finality" can be trusted.
By having a time-range in which a winner can be found, it's uncommon for two more valid winners to announce themselves at about the same time. The size of the blocks and network latency place a lower limit on the time range a vote in POW needs to occur (to reduce the frequency of "simultaneous" winners).
Time isn't everything: In the above CAP and tradeoff triangle discussion, there's an assumption that Sybil attacks are not being performed. To some extent the nodes are assumed to be independent actors (or at least not colluding to attack the consensus results). The value cost of equipment stake or coin stake addresses the Sybil/identity/uniqueness problem. Time cost prevents the same identity (based on value) from double-voting based on time as opposed to faking identity to double vote.
Physics of randomness from POW & VDF equipment
POS without VDF faces a deep problem of where to get a random number for electing the winner in a consensus vote. Generating the random number is the reason POW equipment and VDF equipment (with POS) is needed. The number of options (states) needed to elect a winner is limited by physics to equipment efficiency*energy*time. POW has an efficiency loss at converting energy to hashes while VDF has an efficiency loss at ensuring a computation took a number of clock cycles, so it can be a lot more efficient in establishing consensus through random selection of winner. The max number of states (at the quantum level) in the perfect POW or VDF equipment is energy*time/4/h, which is extremely small.Decentralized consensus requires equipment that can change state. VDF clicks with time and POW generates a hash. VDF assumes there is a max clock rate which is a source of weakness in the conversion my argument depends on, but it may have a fundamental limit such as 10 GHz possibly radiating too much energy from the line traces in the ICs. Each hash is a unique identity that isolates the winner in both space (the location of the equipment) and time (which vote it won). The lowest theoretical energy cost per block to elect a winner is joules = 4*h*N/T where N = number of candidates in the election and T = how long the election takes. Presence of attackers does not increase this cost because there is no way to hash faster except to spend more upfront costs to have more equipment that can start with a different nonce. This is a cost which function like a provable unique identity. The election's equipment cost is zero per election if there is a large number of elections for which the equipment is used. So protection against attacks is like a "potential" energy cost (stored, not wasted as heat except for the initial expense and consequent heat) to participate in elections, but the election cost is the "kinetic" (heat, aka randomization) cost of elections whose lower limit is 4*h*N/T. In other words, capital costs are the source of BTC's security, not rolling costs such as wasted electricity. This has been repeatedly shown in research such as this article, but popular twitter pundits do not seem aware of it.
In both POW and this POS-VDF-POW scheme, POW proves a unique identity. Using POW for identity in consensus allows temporary identities to vote by "off-chain" POW equipment. POS-VDF-POW uses POW to create a stake for the POS which becomes an on-chain identity. POW consensus voters are more like mercenaries than citizens. In a mature and ideal marketplace, which may likely be the case as we shift from rewards to fees, POW mining should be rentable (like a mercenary) which makes 51% attacks easy and profitable on their own in addition to enabling double spending.attacks.
By using stake derived from the cumulative hashes (aka cumulative difficulty) in the coin's past (as opposed to current POW hashrate (difficulty) for say 6 blocks) as the proof of citizenship in each election, POS-VDF can require much more equipment "energy" (equipment plus electrical expenses) to establish unique identity for voting than POW. This is why it should be a lot easier to attack with 51% hashrate in POW than with 51% total hashes (stake) in POS-VDF, if all holders of the coin ("citizens") are voting (staking). Some day POW should be be rentable.
BTW, POS without VDF requires time-locking the stakes to function like a VDF. It's inferior because it does not block long-range attacks.
Converting to a DAG
See https://github.com/zawy12/difficulty-algorithms/issues/40Why coins lower hashrate to increase security
ASICs, botnets, NiceHash, and Merge Mining are examples of increased hashrate (HR) that usually decrease security. This is because security is based on:
(X equipment HR)/(non-X equipment HR) > 50%
Where X can be described as staked, non-colluding, or dedicated equipment. Coins do things to lower the non-X portion which decreases the total HR but increases security. To increase the X (to be sure it is "staked"), it might be morally or culturally motivated to not attack, but it's better if the X is at risk of loss in order to prevent 51% of the miners from naturally colluding (which can evolve without communication) to harm the other 49% and users (see next section).
It's difficult if not impossible to keep the non-X equipment portion low and to keep the X portion from colluding. All coins who do not depend on a central control system can be attacked (for example, the Chinese government could force its miners to harm BTC). If stake-based consensus were possible without its usual drawbacks, it could be much more reliable in keeping the ratio above 50%.
POW security comes from risk of equipment loss (not waste)
The "rolling costs" of equipment depreciation and electricity costs are not in the previous equation. They even decrease security by decreasing the reward+fees that miners can spend on equipment. This up-front cost keeps them dedicated, assuming they do not have a more profitable coin to turn to. If equipment depreciation could be minimized (Moore's law bypassed), even more value could be spent on up-front equipment costs. If large equipment owners attack the coin, and the coin is the largest for that POW, then their equipment value decreases (if the coin loses value due to the attack). This is why Chinese miners do not collude to do 51% attacks on BTC. All this can be summarized in a second equation that determines POW security.
(current+future equip value lost in attacking) > (attack profits)
If you do not agree with the above, here are appeals to authority (aka references): A popular research paper last year and Nick Szabo has said pretty much the same thing.
Hashes/second is low-entropy/second production, not joules/second
It's clear you can spend more on equipment to spend less on electricity. Hashes do not theoretically require any energy, except for Bremermann's incredibly low physical limit (Energy per bit change = h/4/second => 1.5 watts to switch 100 quadrillion perfectly efficient transistors at 10 quandrillion Hz). This shows a measurable amount of energy is not a fundamental to equipment operation, but only in manufacturing it, which is a value. Likewise in this new consensus mechanism, a "stake-rate" to replace hash-rate will not require energy, but it does require energy in its creation. Hashing looks for low-entropy solutions, so POW equipment is an engine that produces lower-entropy/second instead of joules/second. Hashing requires energy only because our equipment is not yet close to the ideal. Stake-rate in this system will also produce lower-entropy/second and it is already at the ideal. Wasted energy puts value on the chain. Low-entropy production produces consensus. BTW, lower entropy increases net available work (energy) in systems at a given temperature, so it may have a value that can be viewed as energy, but I think that's a red herring.Replacing hash-rate with stake-rate by assigning stakes a time denominator
I've shown the perfect POW equipment does not waste energy other than in its creation, so that the hashes/time it produces can be equated to equipment value. I've shown stake value can't replace equipment value in solving the identity problem for voting. But we can look at the hash/time output of equipment and replace hash value with stake value and give the stake a time denominator by forcing it to be occupied (in time) during a vote to prevent double voting. To force stakes to be occupied, we need the VDF function in the next section. We can't simply use a time-lock or tighten the FTL and MTP limits on timestamps. There is a random number seed (and it's modification during each block provided by the indeterminacy of the wide voting population) that needs to pass "through the stake-time marriage" during the vote (during the block-leader selection process).Chia's use of VDF is Not Like This
Why stake-rate POW requires reversing Nakamoto consensus
The only working method of using VDF-delayed stake I could find required reversing the consensus process by starting with a nonce and ending with block creation. If it's not done this way, grinding attacks and/or contamination of the randomness occurs. From a theoretical standpoint, it had to be done backwards because POW takes time to prove equipment value. Time comes before the proof of value. But in stake-rate POW, the stake's proof of value must come before the time-delay calculation because we have to use the stake's quantity to determine how much time it should be delayed compared to other stakes of different quantity. Surprisingly, this conflict can be resolved by running the consensus backwards. In other words, we can view the consensus as going backwards in time, so that the time delay still comes "before" the proof of value, as in POW. But we still get to use the stake quantity to properly adjust the time delay.
BTW, doing block creation at the end allows the staker to create many different blocks quickly, but it does not allow a grinding attack because the block hash is not our seed for randomness. We use the output of the VDF as the seed for the next block. As in POW, our random adjustment to the previous seed comes from the population of value-weighted voters (hashers or stakers).
BTW, doing block creation at the end allows the staker to create many different blocks quickly, but it does not allow a grinding attack because the block hash is not our seed for randomness. We use the output of the VDF as the seed for the next block. As in POW, our random adjustment to the previous seed comes from the population of value-weighted voters (hashers or stakers).
Splitting coin creation & consensus removes pool centralization
POW's proof of waste is still used in this scheme to put value on the chain. Splitting them has a tremendous benefit. It enables solo mining via self-mining txns that prevent the need for pools. See Coin Specifics section.Do not pay voters to vote. Freedom isn't free.
Paying stakers to stake could cause an unwanted concentration of wealth, but there are other reasons to believe they shouldn't be paid, and shouldn't need to be. Cryptography enables security without cost. We don't have to pay for a vault. Similarly, I hope to show decentralized consensus without cost is possible, other than operating a node. If coin holders want to keep their value, they better run a node. "Freedom isn't free." Voters should vote. They are more honest if we don't pay them to vote, but we need to try to make it inexpensive to vote. The ethos in the community should be "run your own node, or the coin's going to be attacked." Schemes that do not need us to run nodes to cast our votes are schemes that sacrifice freedom (that is, they sacrifice decentralization).Full-time staking might be motivated with 2% interest per year to off-set an across-the-board 2% demurrage, but I will not try to pursue that route. It might help prevent large stakers from concentrating wealth. It would act like an efficient lottery (your odds are even) for small coin holders (a few lucky small holders get a big payout while many unlucky ones lose the 2%).
Getting stable value by letting stakers be the Fed
Each block winner can increase or decrease the difficulty that is used for the self-mining txns (see below). This will indirectly determine coin emission rate. Ostensibly coin holders will set difficulty low to begin with to get coin cheaply and increase it later to limit coin inflation. So hopefully there will be a shift from "store of value" to "currency". I believe they will eventually decide on stable value. The emission rate should be more intelligent by letting coin holders dynamically determine it instead of arbitrarily setting it at coin creating.Moore's law prevents us from using a constant difficulty to keep stable value. Difficulty increases precisely with price over the short term when coin emission rate is fixed. But due to the unpredictability of Moore's law and other advances, price would decrease if difficulty is constant for a long time due to inflation. We need an oracle to adjust for Moore's law and software changes. We do not want the centralization of off-chain oracles. Coin holders (stakers) may serve as an ideal decentralized oracle to make the adjustment on the chain as they are forming blocks.
A cryptocurrency has no inherent long-term value without stable value. A long-term holder (staker) realizing this will vote for stable value. If the majority of stakers try to increase the difficulty too much to get better returns, they will eventually lose value from insufficient users wanting to use it as a currency.
The coin's white paper and devs may need to only recommend that block winners set the difficulty to track constant value so that it always costs miners 1 dollar in terms of year 2020 to get 1 coin (stable value in terms of 2020 dollars). There may be a desire by purchasers and users for it to track the dollar even as the dollar slowly devalues so that a wider audience immediately has a reference for its value. But there's no mechanism for determining that desire and holders (stakers) would not be willing to respond to it anyway.
A stable-valued currency occurs when coin quantity remains proportional to GDP/velocity. For example, assuming constant velocity, if $1 B is spent a week and total coin quantity is $100 B, and if $2 B/week is spent a year later due to a larger GDP, then coin quantity should become $200 B or it will be valued 2x more, which is harmful to it as a currency because that would invalidate contracts (prices and wages) and law that are expressed in terms of the coin. I would like to incorporate this knowledge as part of the difficulty adjustment, assisting (or counteracting) staker decisions. If the txn volume per week per total coin qty is increasing, I don't have a metric to determine if the increase is from a real GDP increase or if velocity is increasing, so I don't know if coin emission rate should be higher or lower. If I knew, how is the target GDP/velocity chosen? How much should coin emission rate increase to avoid too much lag on the one hand and oscillations on the other?. The fees on txns should discourage a manipulation of the metric with do-nothing txns. Transactions would be unconscious fee-weighted votes on a difficulty adjustment. Stakers could revolt by omitting txns, but that would destroy the value of their stakes.
The minimum unit should be 0.001 coin because 1/10th of a penny is dust and the txns/sec limitation in this technology is severe. This is the value of a Satoshi at 1 BTC = $100,000.
Part 2: reverse Nakamoto Consensus
This enables stake-rate to replace hash-rate. A Verifiable Delay Function (VDF) is used to get the time denominator for stake-rate. Since equipment value (hash-rate) requires time to prove its value during the vote, time comes before the proof of value. But stake value is used to adjust the time delay in stake-rate, so stake value comes before time. This prevents the value from demonstrating to the chain that it did not vote twice.This is remedied by doing the consensus backwards. This prevents problems normally seen in PoSThis rest of section has been superseded by this article.
Part 3: Coin Specifics
POW to generate & distribute coins
POW waste is still needed to fairly distribute coin. We can use self-hashing txns to enable solo mining (aka self-mining txns). People could use their own mining equipment or rent NiceHash. The self-hashing txn consists of a destination addr, a difficulty that determines how many coins will be obtained based on the difficulty_2 (hashes/coin, see below) that is in the block header, a block number that is 20 blocks into future, and a nonce. The amount of coin he gets is determined by the a difficulty_2 setting in the block header in where his txn is included. Miner hashes the txn until the nonce solves the difficulty that's in the txn. After he releases it, hopefully a staker will include it in the next 20 blocks. The staker must confirm the nonce is a solution and that the txn was not previously submitted in the past 20 blocks. This allows stakers time to include it while preventing the need to check for the same txn in the distant past. If the stable value idea is not used, a regular difficulty algorithm is used to determine emission rate just like regular POW. Either way, pools are obsolete. Txn fees will prevent too many mining txns, so there is no minimum. Keccak256 may be a good choice of POW. The ideal POW is one which "everyone" has equal access to (not giving an undue advantage to botnets or undisclosed specialized ASICs. A POW with a good ASICs on the open market would be good.Coin holders adjust coin parameters
A block creator can change the numerically-valued parameters up or down 0.02% from previous block. For example, if a fee is 0.1%, then a single block can increase it to 0.10002%. If 60% of block-winners (stakers) want fees to be 2x higher and 20% stakers vote against them, it will take N = 8665 blocks (30 days with 300 second blocks) to make the change. The equation is: N = log(2)/log(1.0002)/(0.6-0.2). This is the same as if 40% are voting for the increase while 60% are silent.
Block headers will have fields under the control of stakers for mining difficulty, block size, block time, fees per byte, and fees per coin in txns.
Block headers will have fields under the control of stakers for mining difficulty, block size, block time, fees per byte, and fees per coin in txns.
Block Header
- Same as BTC, except no nonce.
- Consensus-related:
- a reference to Stake txn (its "address")
- VDF-value "y" & proof π
- Signature of block header with stake key
- Block winner controlled coin parameters
- Difficulty2 target for self-mining (nBits type)
- Max block size in 100 kB (3 Bytes)
- Target solvetime (3 Bytes) 3 bytes needed for voting accuracy
- txn fee per byte (3 bytes)
- txn % fee per coin (3 bytes)
- Total coin quantity mined (7 bytes)
- Foundation wallet address for fees (34 bytes) ? Modifiable by who?
- Code URL (probably Github) ? Modifiable by who?
Initial settings in block headers
Consensus vote will slowly modify these in every block.- difficulty = $0.05/coin
- block time = 300
- max block size = 4 MB
- % fees = 0
- fees / byte = 0.001
- dev or foundation address
No comments:
Post a Comment